fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-4017 CLONE 3.2.2 - Unauthenticated download of any file from server with "processes/processes_GetFile" page + Path Traversal

Browse Source 
- Add validation path only PATH_DATA_MAILTEMPLATES or PATH_DATA_PUBLIC
This commit is contained in:
Marco Antonio Nina Mena
2017-10-30 08:31:21 -04:00
parent 64554142a7
commit 33a6e236b9
2 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
gulliver/system/class.rbac.php
View File

@@ -181,6 +181,10 @@ class RBAC
'DEL' => ['PM_SETUP'],
'LST' => ['PM_SETUP'],
'TEST' => ['PM_SETUP']
],
'processes_GetFile.php' => [
'mailTemplates' => ['PM_FACTORY'],
'public' => ['PM_FACTORY']
]
];
$this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE];